Born to be breached: the worst passwords are still the most common

Bad password practices still leave Internet users' accounts at risk.

Despite the many, many cautionary tales we hear every day of e-mail, social media, and other Internet accounts being compromised, some people still haven't heeded the warnings about using easily-guessed passwords. And it isn't just the non-technical masses that are leaving themselves vulnerable.

I've railed in the past against the risks created, ironically, by companies having password policies that are too aggressive. But on the Internet, it's already been established that nearly any password is vulnerable to cracking, no matter how elaborate.

Websites' poor security often leaves them vulnerable to the bulk theft of password files—or, as in the case of the exposure at the Institute of Electrical and Electronics Engineers' IEEE.org, sometimes passwords are just sitting there on servers unencrypted and waiting to be downloaded. Even when they're encrypted, those password files can easily be cracked (as Dan Goodin reported) with a variety of readily-available "password recovery" tools—and thanks to software that uses the power of beefier graphics processor units and vast lists of previously cracked passwords, it's getting increasingly easier.

Still, it doesn't help the cause very much when users pick passwords that are just begging to be exposed—not through high-horsepower cracking tools, but by flat-out guessing. Breach after breach, security analysts find that many users have used passwords that are vulnerable to even the most casual attempts at breaking—passwords like "password."

For example, an analysis of IEEE's log files found that of the 100,000 users' accounts that were exposed on IEEE.org, about 18,000 used passwords that would have been easy prey for hacking. The most common was "123456," followed closely by "ieee2012" and the ever-popular "12345678." And when hackers cracked the personal email account of the notoriously security-conscious Syrian president Bashar Hafez al-Assad, what did his password turn out to be? It was "12345."

This past week, password management tool developer SplashData published the results of what has become an annual ritual—the quest for the "scariest" passwords. An analysis of millions of stolen login credentials posted by hackers discovered that for the third year in a row, "password" was the most commonly used password, with "123456" and "12345678" still steady in the #2 and #3 positions.

Here's the full list of the top 25 most common passwords for 2012:

Rank

Password

Change in rank since last year

1

password

Unchanged

2

123456

Unchanged

3

12345678

Unchanged

4

abc123

Up 1

5

qwerty

Down 1

6

monkey

Unchanged

7

letmein

Up 1

8

dragon

Up 2

9

111111

Up 3

10

baseball

Up 1

11

iloveyou

Up 2

12

trustno1

Down 3

13

1234567

Down 6

14

sunshine

Up 1

15

master

Down 1

16

123123

Up 4

17

welcome

New

18

shadow

Up 1

19

ashley

Down 3

20

football

Up 5

21

jesus

New

22

michael

Up 2

23

ninja

New

24

mustang

New

25

password1

New

SplashData's findings are pretty consistent with those of security consultant Mark Burnett, the author of the book Perfect Passwords. Think your password is a special snowflake, unique in the world?Burnett did an analysis of 6 million username and password combinations last year, and found that 91 percent of users had used one of the 1,000 most common passwords—with 99.8 percent using a password from the 10,000 most common. And "password" was the leader of them all, in use by 4.7 percent of user accounts.

Considering how easily those lists are obtained and turned into fodder for even the most simple password cracking schemes, choosing a simple password is like leaving your house's door unlocked. And it gets worse when you re-use passwords across multiple services with the same username—especially if one of them is your email account, or if you've linked accounts together, as Wired's Mat Honan found out when hackers hijacked his Twitter account and remote-wiped his iPhone and Mac.

Only you can stop the madness. Here are some simple things you can to to make your passwords—and your entire digital persona—more secure:

Use multifactor authentication when you can. Google's improved authentication sends you a text message with a code every time you attempt to connect to Gmail or other services with your Google account from a new location, and DropBox and other services have followed suit. Google also generates application-specific passwords for mail clients and other software that connects to your account if it can't do the challenge-and-response type of authentication. If you use services that support this, turn it on.

Never use the same password you use for important accounts on other sites. Your password on secure sites is generally better protected than it is on web forums, blogs, social media, and other Web sites. Less security-focused sites can be vulnerable to attacks that give hackers access to the "hashed" (or even unencrypted) password file on the server, and if they don't use HTTPS to encrypt passwords sent to them, your password could be "sniffed" right off the network when you log in from a public Wi-Fi hub or other open network.

Use randomly-generated passwords. Instead of trying to create an easy-to-remember password for your Internet credentials, use a tool to randomly generate them. Of course, SplashData publishes its "worst password" list in hopes that you'll use their password generator, SplashID Safe. But there are a number of other tools that can generate passwords for you, such as LastPass. Or you can simply use one of the many free random password generators that are out there, and store the credentials in your browser's password manager (and in another, offline location in case your browser burps).

I can not recommend LastPass enough to people when they complain about having to remember or change their passwords.

Sadly, 9 times out of 10 those people are even too lazy to take 30 minutes to learn how to use the program and to import (and then obviously change) all of their account passwords. It's pure laziness that is at fault for all of these weak passwords. Even when you tell the individual that you'll show them the ropes of how the program works they'll usually say; "Nah, I'm OK as it is" as they type in their password they use on 20 different websites; as well as their bank...

I'm using 1Password by AgileBits and it's awesome. It supports all major browsers and runs on Windows and OSX. This application generates randomized passwords that are up to 50 characters long and you can decide how complex passwords get: i.e. How many numbers? How many special characters? You can even generate pronounceable passwords that are easy to remember such as: "ca-cone-shyw-tok"

The drawback is that I'm always depending on my password manager to login to websites as my passwords are too plenty and difficult to remember. But it's a handicap that I'm willing to take.

A lot of this password analysis has been done on breaches of non-critical sites. I'd be interested to know if people take their banking & email passwords more seriously.

We've all been in a situation where we have to quickly register a junk account to get access to an website - I use a simple 8 digit pwd. Absolutely not a best practice, but I'm lazy. When it comes to my banking, we are now talking about 15 digits that's not in any dictionary.

A lot of this password analysis has been done on breaches of non-critical sites. I'd be interested to know if people take their banking & email passwords more seriously.

We've all been in a situation where we have to quickly register a junk account to get access to an website - I use a simple 8 digit pwd. Absolutely not a best practice, but I'm lazy. When it comes to my banking, we are now talking about 15 digits that's not in any dictionary.

I assume that there's a lot of people who don't realize how critical their email password is to their overall cyber security but I bet you're quite right about banking passwords. What bugs me though is that banks seem quite slow to embrace 2-factor authentication. A number of them have it now, but it's by far not all of them, and even then, those that do don't require it.

I also have to admit that I'm in the same boat when it comes to non-critical accounts. I use the same easily cracked password on things like forum accounts. If a hacker really wants to post under my user name that badly, I won't get that mad over it.

As to password generation for MacOS folks, Keychain Access has been part of MacOS X for several years now. Using it religiously is easy.

It's a shame that Apple can't make the same magic work on iOS. I would even use iTunes to sync my website passwords if Safari weren't so un-1Password-like about the whole thing.

Yea, agreed. On iOS, I use pwSafe to store various passwords, but not for generation, since my usage with my iPad is a bit different. It includes, for example, passwords for the systems of family I help maintain and security question answers (which I don't answer with real answers anymore).

We've all been in a situation where we have to quickly register a junk account to get access to an website - I use a simple 8 digit pwd. Absolutely not a best practice, but I'm lazy. When it comes to my banking, we are now talking about 15 digits that's not in any dictionary.

Agree. I've been known to use crap passwords places I assume they will be dumped.

Azhrei wrote:

What bugs me though is that banks seem quite slow to embrace 2-factor authentication. A number of them have it now, but it's by far not all of them, and even then, those that do don't require it.

"Guys! We need to do two factor authentication to be secure!""Ok - great - we can do that! How about something you know, and something everyone knows?""Genius! Compliance, here we come!"

The drawback is that I'm always depending on my password manager to login to websites as my passwords are too plenty and difficult to remember.

I ran into that recently. Went to my brokerage and wanted to have them change some account features while I was there for other matters. They said they would be using the exact same interface as my online access page, so I could do it on one of the machines in the lobby if I wanted to.

I sat down and opened the login page, and then realized that I had no idea what my password was - I had become so reliant on 1Password to take care of this for me.

(When I got home I checked that all my backups were in order, and exported all my passwords to a safe file to ensure that if my computer vanished in a puff of smoke I could still access all those accounts manually.)

Lastpass really helped me change my password habits. Makes it so easy to have uniquely long and crazy passwords for each individual site. Works on my iPhone, my android tablet and my mac/pc. I only have to remember my Lastpass password. If I'm on a device or computer that does not have lastpass installed, I can easily access my password library using any web browser—making sure to use privacy-modes.

Does anyone know how meaningful these lists of most common passwords actually are?

Speaking personally, I often sign up with some websites that need a user account even though I'm not planning on sticking around there. I frankly couldn't care less if the account got hacked and it's also useful to be able to quickly remember an old password to something, on the off chance I do use it in again in the future.

Therefore, for the vast majority of sites, I use some generic password that I'll remember. This doesn't apply to sites I spend any real amount of time on or that I wouldn't want hacked.

There are many environments where passwords might be subject to brute-force guessing, but I'll guess the systematic failures — theft of encrypted, but “unsalted” password files on a server — or looking under a keyboard for the password list are the much bigger danger to an organization.

Maybe for most sites my Bloomberg terminal's security — a fingerprint reader on a token that then reads a unique (?) flashing pattern on-screen and requires me to type the coded interpretation of it — is overkill. But for something like banking, requiring a security app or applet on the workstation would seem to be a positive: if the user can't control/install a onetime executable to guard/encrypt the session, the terminal shouldn't be used for the operation anyway, because he then has no way of being assured it's not compromised.

Smart assery aside, just knowing which services have two-factor authentication is nice. DropBox is nice to know, PayPal also supports it.

"I'd be interested to know if people take their banking & email passwords more seriously."

I don't think it's a question of seriousness.

This story comes from the army, where it's a way of life to make sure everything is properly secured and accounted for. You'd get done with an exercise and you're all camped out waiting for counts of weapons and other sensitive items before you can go home. And our first sergeant was no exception, in fact he was significantly more anal than most.

But the guy had a huge blind spot for passwords. One time he asked me to run an errand and gave me his ATM card. And he actually said, "now, Corporal, I don't want to hear the lecture, I know, I get it. My PIN is 1509." Which was the unit's designation, of course. And he explained that he really tried, but just wasn't good at memorizing passwords.

Having seen that contradiction a few times, I think passwords and such are just too abstract for people to know how to allocate resources (especially time) to them. How big a lock to buy is something that people can gauge pretty easily, but how to secure data or back it up is just not something most people can get a feel for.

Here's a question - perhaps those who use weak passwords use them because the site means little to them?

Those IEEE passwords - are perhaps those of accounts registered because you had to register to download or look at something? I mean, if you had to register to download some document at a site you probably won't bother visiting ever again, you'd probably just register with fake details and "password" too. Perhaps they were there to get access to the 802.X standards documents which are free to read, but require an account to download.

It always annoyed me on websites for such places that required crap like must have capitals and numbers and special symbols and change every 30 days. Well, I only accessed the damn site once every few months! So what if someone breaches my account - they get... well, what? The document I downloaded?

I'm sure there's an equally wide spectrum of Ars users. You have casual users like me who really don't use the forums or anything other than reading the Ars front page. Then I'm sure there are also hardcore Ars users who live on this site like others live on Facebook. People like me probably would use weak passwords because the real big gain of breaching my account is...? Posting as me? Those hard core users probably have stronger passwords because Ars offers lots of special stuff to people like them (subscribers, etc).

The drawback is that I'm always depending on my password manager to login to websites as my passwords are too plenty and difficult to remember.

I ran into that recently. Went to my brokerage and wanted to have them change some account features while I was there for other matters. They said they would be using the exact same interface as my online access page, so I could do it on one of the machines in the lobby if I wanted to.

I sat down and opened the login page, and then realized that I had no idea what my password was - I had become so reliant on 1Password to take care of this for me.

(When I got home I checked that all my backups were in order, and exported all my passwords to a safe file to ensure that if my computer vanished in a puff of smoke I could still access all those accounts manually.)

I've found I couldn't live without a smartphone anymore mostly thanks to my password manager. Also hit that problem lately with Windows 8, every damn app seems to want a login the first time and my live account has a randomly generated password. I had to turn off logging into Windows with my live ID because I could never remember it.

I seem to be creating a lot of pronounceable passwords thanks to the limitations of password generators - they're usually browser based. I need to remember my Apple ID, my Live ID, my work laptop, my home PC and my HTPC password.

As a web programmer myself, I blame web programmers. We should not be expecting users to have strong passwords. We should not assume that just because somebody knows the password, that they are who they claim they are.

* you can only use the pin if you have the card * if you get the pin wrong a few times, the card is blacklisted

If I want to go into a branch and change my address, they don't ask me for my password, they ask for photo id and some kind of utility bill at the address I want to change to.

My credit card doesn't even have a password attached, all it has is some numbers that anyone can take a photo of and use almost anywhere in the world. But it doesn't matter, because there are teams of fraud detection who will kill the credit card and reverse transactions if anything suspicions happens. And if they can't reverse the transaction, they will pay for it out of their own pocket. And in the real world it works great.

Basically, I think the solution is not to force users to have strong passwords. Instead passwords should not be used to protect anything important. And when they are used to protect something not so important, two or three failed guesses should be enough to have the password deleted from the system altogether, and the user is forced to authenticate via some alternative.

If you try guessing passwords on any of the systems I work on, it will start telling you that all passwords are incorrect, even if you provide the correct password.

I seem to be creating a lot of pronounceable passwords thanks to the limitations of password generators - they're usually browser based. I need to remember my Apple ID, my Live ID, my work laptop, my home PC and my HTPC password.

Just because your password is easy to remember, doesn't mean it has to be a weak password.

This is insanely strong for example:

42bana-----NN-----as

A brute force covering mixed case alphanumeric, with symbols will have about 95 characters in the alphabet. Apply that to a 20 character password (95 ^ 20)... puuwe!

Assuming they can guess, say, a billion password per second (10 guesses per second is more realistic with your Apple ID or Live account), the universe will still end before they crack the password.

Remember. Two things matter:

* don't use the same password all over the place (and don't use a password that other people use) * make it have a large alphabet * make it fairly long(*)

These days all good crypto systems will salt/hash/expand your password, so *most of the time you do not need to have a random password*.

(*) length is the least important of the three, but "A4.b" definitely isn't good enough. Remember every extra character multiplies the strength by *95*. So "AA4.b" is 95 times harder than "A4.b".

I think one of the biggest issue isn't necessarily that it is hard to remember difficult passwords, it's that there are so many of them to remember.

After reading an article such as this one some times back, I tried to use passphrases everywhere (the ones I use are about 30 characters long, with numbers and non-alphanumerical characters, which I believe is secure enough). But the problem is that I have maybe 10 accounts I use actively, and loads more I access occasionally or only once.While I could remember rather easily a certain passphrase, knowing which one was for this account or that one quickly became impossible.

Since I was using quite regularly the "forgot password?" thing, I changed most of them back to a unique, rather easy to guess password. Ultimately, the worst that could happen with those accounts isn't worth the bother. I just kept the passphrases for 2 or 3 accounts, which is quite manageable.

As for password managers, I'm sure I'm not the only one that often check his mails/facebook/whatever from different computers, so it doesn't seem to be a solution.

Well Hotmail does allow one time codes to be used when you login(mobile number and email),surprisingly this is something Google does Not do until after you have used your password (email password and if that is correct then it asks for the second factor login if enabled ) they could do with implementing that one time code via text or call as Hotmail does

I Find keepass is fine as I use use it on android, blackberry desktop and my laptop I do not need to remember the obscure passwords I make

more fun trying to work out what the max limit is as some sites [cough this site] do not disclose the limit or worse [again this site] does not error when you go past this hidden limit it just stops at the hidden limit so it accepts the cut off password but the login box allows any length password so login fails

I do have type able passwords for sites I may login to on other PC's , Facebook, twitter, dropbox, Google and yahoo (text only) hotmail (text only) support 2factor login

I seem to be creating a lot of pronounceable passwords thanks to the limitations of password generators - they're usually browser based. I need to remember my Apple ID, my Live ID, my work laptop, my home PC and my HTPC password.

Just because your password is easy to remember, doesn't mean it has to be a weak password.

This is insanely strong for example:

42bana-----NN-----as

A brute force covering mixed case alphanumeric, with symbols will have about 95 characters in the alphabet. Apply that to a 20 character password (95 ^ 20)... puuwe!

Assuming they can guess, say, a billion password per second (10 guesses per second is more realistic with your Apple ID or Live account), the universe will still end before they crack the password.

Remember. Two things matter:

* don't use the same password all over the place (and don't use a password that other people use) * make it have a large alphabet * make it fairly long(*)

These days all good crypto systems will salt/hash/expand your password, so *most of the time you do not need to have a random password*.

(*) length is the least important of the three, but "A4.b" definitely isn't good enough. Remember every extra character multiplies the strength by *95*. So "AA4.b" is 95 times harder than "A4.b".

This sounds good, but it doesn't quite work.

The problem is that everything needs a password. I have literally hundreds, most of which I only use once a year, if even that. You simply cannot remember strong passwords for that many accounts. Having a pattern that generates strong passwords helps, but the problem is that anyone targeting you, specifically, just needs to find one website that stores passwords in plain text (and given that Sony did that, while LinkedIn didn't use hashing...) and use that to figure out what your pattern is.

Likely? Not hugely, no, but worth keeping in mind.

A password manager (especially one that can run on your phone and that has a no-install-required version you can throw on a USB drive) eliminates that chance and generates even stronger passwords.

But yeah: Main rule: Do not re-use passwords. Websites have shown themselves to be terrible custodians of such data, and every time your re-use a password you make it exponentially easier for someone to hack every account you use it on.

Second rule: Use strong passwords.

If you can find some way to generate truly strong passwords and don't re-use them, then you're set. But it's easier and simpler to just use a password manager.

Pretty much every computer and phone has bluetooth right? Why hasn't someone written a protocol where my phone can link up to the computer via bluetooth, send some sort of hash of my password to the computer, which then passes it on to the website? That prevents the computer (which may be public and have a keylogger) from ever seeing my password, and I don't have to type out a 64 character password (Which is one of my big concerns about using a password manager)

Yes, ars has posted this thread (or one like it) many times, replete with comments describing great ways to generate and maintain masterful secure passwords. Other forums have the same. Heck, it's even on TV national and local news. It might be amazing that folks don't heed. But I administered a time-sharing mainframe system for ~30 years. An element of security was requiring users to change passwords at least once every two weeks, using a password that hadn't been used in the past six months. Guess how many (1) calls for lockout on failure to change password and (2) insecure passwords noticed by administrators. Raucous at times

One strategy, if you're opposed to or unable to use a password manager, is to have a common password but add a site-specific string to the front.

For instance, your common string could be "house 11 of 11 glass" (spaces included). On ars, you could add a string to the front or end, like... "ArsT house 11 of 11 glass". You may want the site-specific string to be harder to guess than that, because human eyes can pick up a pattern. But it allows you to have unique passwords on each site with a minimum of fuss.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.